VideoWhen you consider all the bad things that happen to good plans, it's not surprising how often CEOs blame poor performance on poor luck. Product launches flop when customer demand is weaker than expected. A brilliantly conceived merger becomes a value-destroying menace when integration fails. Plans to expand overseas stumble over regulatory issues.
But risk-management and planning experts say such failures are usually predictable, and frequently preventable. The problem is that most planners don't think hard enough about what might go wrong before putting an idea in motion. "There's a natural tendency for executives to focus on the positives of a plan and deemphasize the risks," says Rick Funston, national practice leader for the governance and oversight group at Deloitte & Touche LLP in New York. "It's like saying, 'Let's climb Mt. Everest this weekend because it will be great fun,' without stopping to think that this will probably get you killed."
A number of companies think they have found a way to create better-examined plans — by formally linking risk management and strategic planning, something risk managers have long advocated. Indeed, a stronger bond between risk and planning was one of the goals of enterprise risk management, introduced in the 1990s. But few companies adopted ERM, and when they did, the result was often better integration of some risks — such as credit and market risk — without a real connection to strategy.
Two things have sparked renewed interest in ERM: the terrorist attacks on September 11, 2001, and the new governance rules enacted after the corporate scandals. "There is no question that this is the hottest time for ERM since we started working on it in 1991," says Michael Chagares, senior vice president at Marsh Inc. "Boards want to know if management has a corporate risk profile and a continuous view of the company's risks. And they're finding that the best way to look at risk from a corporate perspective is to integrate it into the planning process."
As a result, the new ERM programs aim to create such integration from the start. "Our main focus over the past 18 months has been building a risk culture and linking it to the business-planning process," says Kathryn W. Dindo, vice president and chief risk officer at FirstEnergy Services Corp., an Akron-based utility holding company that has implemented an enterprise risk program at the urging of its chairman.
A Gap in the Plan
There's nothing new about considering risk when making plans, of course. In fact, most companies already have some way of doing this, and some do it very well. This is usually SWOT (strengths, weaknesses, opportunities, and threats) analysis, a venerable planning method still taught in business schools. The issue is that executives tend to focus on the strengths and opportunities, but gloss over the weaknesses and threats. "Where strategic planning falls down is that there's not enough thought given to the barriers to execution — the risks," comments Rick Machold, a former business consultant and currently chief risk officer at Certegy Inc., a financial transaction processing firm in Alpharetta, Georgia. "The idea is to choose the highest-impact opportunities with the greatest likelihood of success. Companies do a good job with the first half of that logic, but not the second."
Randy Nornes, managing director of Aon Risk Services in Chicago, agrees. "Many planners don't have a great feel for the details of their risks," he says. "The result can be a great plan with poor execution, or a single event that spirals out of control."
Ford Motor's disastrous experience with its Explorer SUV several years ago illustrates what can happen when the connection between risk and planning isn't strong enough. What started as a technical problem with the Explorer's tires became a safety problem when the SUVs began flipping over on highways. This turned into a public-relations nightmare, a government-relations issue, and a source of bitter conflict with Ford's tire supplier Bridgestone/Firestone Inc. "The whole thing started to explode on them," says Funston. Arguably, if Ford's planners had thought through the cascading effects of a technical failure, they could have taken steps to prevent it or at least prepare a coordinated response with their suppliers.
Risk and Reward
To prevent such oversights from creeping into their own plans, companies are connecting planning and risk management in two ways. The first, and most common, is to vet plans and capital expenditures with the risk management department after the plans have been drafted. The other is to conduct a formal risk assessment during the actual formulation of the plans.
Genentech Inc., a South San Francisco-based biotechnology firm, is pursuing the first approach. "As strategic plans are put in place, we look at them and ask, 'If we're going to meet these goals, what must we do operationally? And what are the risks to these plans?' " says Genentech treasurer Thomas T. Thomas. Before any plan is implemented, his team works with the business to document the risks, measure them, and devise mitigation plans. "For example," he says, "if we're going to meet our five-year plan, we need to make sure that our production capacity will come online at the right time, in the right configuration, and in the right place, so that when drugs come out of the pipeline, we're ready to produce them. The supply-chain people have the functional knowledge, but the risk people can ask the questions to make sure we structure our facilities in a way that lowers the risk to the company."
Reader Comments» Post a comment